Minor security problem in The Bat!

[3APA3A () SECURITY NNOV RU (3APA3A)]

Hello,

"The Bat!" by RitLabs is extremely convenient mail agent with a lot of
features  for Windows platforms. One of "The Bat!" features is storing
files  attached to e-mail messages apart from messages bodies. In this
case  "The  Bat!"  puts  attached  files  in  preconfigured folder and
removes  according  MIME  part  from message. Instead, "The Bat!" adds
additional pseudo-header X-BAT-FILES, something like:

      X-BAT-FILES: D:\Home\Incoming\attachment.doc

There are few possible troubles:

1. Then forwarding message with attachment this header isn't stripped.
This  fact  allows  recipient  of  the  forward  to  know the physical
location  of  the  user's  incoming files. This can be very useful for
attack  like  in  "Georgi  Guninski  security  advisory  #8, 2000" ;-)
because  you  can  send  any file to user and you will know where this
file will be located.

2. "The Bat!" doesn't check headers of the incoming message to contain
this header (and this is even more dangerous). Intruder can spoof this
header, for example to specify
    X-BAT-FILES: C:\WINDOWS\user.dat
in  message  headers.  In  this  case  user.dat will appear as message
attachment!  If  recipient  will forward this message user.dat will be
attached  to forward. If recipient will delete this message and option
"Delete  attached  file  then  message  deleted  from trash folder" is
checked C:\WINDOWS\user.dat will be deleted.

Tested with version 1.39

Vendor contacted.

http://www.security.nnov.ru

P.S.  "The Bat!" users will see their own c:\autoexec.bat  attached to
mail...
         /\_/\
        { . . }     |\
+--oQQo->{ ^ }<-----+ \
|  3APA3A  U  3APA3A   }
+-------------o66o--+ /
                    |/
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*